Thoughts on the Copyright Alert System

UPDATE: Added mention of the $35 appeal fee in the "Appeals" section below.

Today, major ISPs joined the RIAA and MPAA in announcing a joint program to deal with file-sharing. The document governing this agreement, a "Copyright Alert System," is hosted here. Public Knowledge and the Center for Democracy and Technology issued a joint statement on the CAS, available here.

Beyond that, what does this agreement represent? It extends some of the characteristics of some ISPs' existing voluntary notice-forwarding agreements, while stopping short of a three-strikes-and-you're-out procedure.

Summary of the Procedure

Basically, the RIAA and MPAA, or their member labels and studios, will have people trawling P2P sites, downloading files from a blacklist of works. If a downloaded file matches the blacklist, the IP address from which the file was downloaded is logged, and sent in an "ISP Notice" to the appropriate ISP. The ISP then correlates the IP address and time of the download to a particular subscriber. This triggers the "Educational Step." The ISP sends the subscriber an "Alert," which says that they've been suspected of infringing copyrights, that doings so is illegal and can lead to serious consequences (under existing law, the terms of service of their ISP account, and via this new program), and that there are legal ways to download content.

If, after seven days, another ISP Notice gets sent regarding the same user, the ISP can either repeat the "educational" Alert or escalate to step 2, the "Acknowledgement Step." Here, the ISP requires the user to indicate that they have received the Alert, and that they will stop illegally sharing files and tell anyone else using their account to do the same. The Alert also notes that the user's contact information could be sent to the content owners or law enforcement if subpoenaed or if the user wants to later contest the accusations.

If, after seven days, another ISP Notice gets sent regarding the same user, the ISP will repeat the acknowledgement Alert. Another notice after that moves the process on to stage 3, the "Mitigation MeasuresStep." Here, the ISP will forward the Notice and then impose a "mitigation measure." The ISP can either impose its mitigation measure right away, or wait until a second Notice comes in at this stage.

What those measures are is left a bit up in the air. At the worst, the MOU contemplates "restriction of the Subscriber's Internet access for some reasonable period of time." Other measures include throttling the user's bandwidth, redirecting to a "copyright school" landing page, or some other action at the ISP's choice that's meant to be equivalent to the above.

Users can appeal at the Mitigation Measures stage, on the grounds that the wrong account was targeted; the infringement was the result of an unauthorized use of their account; that their sharing of the files was authorized by the copyright holder; that the wrong file was identified; that the work was published before 1923 (and thus was clearly in the public domain), or that the sharing was fair use. The appeals are reviewed by an independent arbitrator, agreed upon beforehand by content and the ISPs.

If a user at either of the first two stages doesn't have any notices associated with their account for a year, their number of strikes gets reset to zero.

So what does all of this mean for users, both as they are subject to the program and in the long run?

The Good and the Bad

Suspension

The presence of account suspension as a possible mitigation measure is particularly troubling, as it means that repeated accusations can cut off a user from important connectivity. Accused file-sharers certainly shouldn't be deprived of the best means to contact the accusing parties, research their defenses, or (in cases of mistake or unauthorized use of their account) figure out just what happened and how to fix it. The fact sheet released with this announcement makes it clear that essential services like voice service won't be disrupted, but it's not clear how to ensure that certain other IP-based protocols will definitely be preserved—unless there's sophisticated deep packet inspection (with its own set of potential problems), or (more likely and more hearteningly) suspension is not in the cards after all.

It does seem unlikely that most ISPs would pick disconnection from among the list of mitigation measures, since it's not really in their best interests to kick paying customers off their rolls. The parties are eager to assure users that the system doesn't require termination, but it hangs there as a threat nonetheless—either via a temporary suspension under the new program, as a separate action the ISP can impose in exchange for a violation of the terms of service, or, if the user is determined through some other process to be a "repeat infringer," through the legal action of the DMCA.

Other remedies, like throttling, would be less severe, but depending upon implementation, can raise their own problems. Depending upon how throttling is handled, discrimination against certain types of applications or content might raise some competitive concerns.

All in all, ensuring that emergency services aren't interrupted helps to prevent extraordinarily disproportionate penalties for an accusation of copyright infringement. Of course, proportionality is only part of the picture—accuracy in the process is another big part.

Appeals

This brings us to the appeals process. According to the agreement, appeals are only available after a mitigation measure is applied, the user doesn't get to formally contest the accusations until her account is already being affected in some way. The fact sheet notes that by the time mitigation measures come into play, it's unlikely that someone will "persist in the content theft." Of course, if that person doesn't think they are infringing copyrights (much less leaving aside the semantics of "content theft"), what procedures are in place for them to clear their name before that time? Will the process be as smooth and seamless as the appeals process is sold as being? Few users accused mistakenly will likely be willing to just sit and wait for a year, hoping that the same mistake doesn't happen again and again. Update: Also, the fact that users are charged a $35 fee to appeal means that users are being charged just to engage in the process. Even though a parking ticket usually costs more than that, there isn't typically a fee to content in court that you should never have received it in the first place.

The list of grounds for appeal is fairly robust, but it's still a limited, exhaustive list. Many public domain works should be excluded by the "published before 1923" defense, butof course, many public domain works were published after that date. The process is intended to be a streamlined one, which explains the reduced number of grounds for defense, but much of this process is guarding against users gaming the system, while assuming that the sending rightsholders or their contractors will use rigorous methodologies and not abuse the system at all.

One interesting example is the defense for "unauthorized use of account." A user apparently can only use this once; if they're accused again of infringement and raise the same defense, the response is apparently that they should have better secured their system/locked down their wifi/scolded their children or houseguests more. This also tends to assume that open wifi is basically a bad thing—something that leads to the offeror being liable for infringement—if not in a court of law, then at least being subject to these mitigation measures. There's a lot of good, civic reasons that individuals might want to share wifi with their neighbors, and this structure seems another strike against that ethos.

Reviewing the System

One of the good things about the new system is that it has built in processes to guard against that kind of abuse. The newly-created "Center for Copyright Information" (CCI) will hire independent technical experts to review the accuracy and security of the methodologies that the content companies are using to report alleged infringers. If a given methodology is deemed fundamentally unreliable," the expert will issue a "finding of inadequacy," which will hopefully induce the content owner to amend their methodology. The Expert is also supposed to consult with privacy experts to ensure that user privacy will be protected. Given how much personal information will likely be flying around in this system, that seems like a necessary safeguard.

Another useful thing to come out of the CCI is the data that will be collected on the notices sent. The number and type of infringements, as well as the type of defenses typically asserted, has long been something of a black box for policymakers, who instead have to rely upon hints and revelations in dribs and drabs. The CCI will be collecting a large sample of this sort of information, and compiling annual reports for the participating entities. Hopefully, some of this information can be made public and used for improving policymaking into the future.

The main public-facing role of the CCI, however, seems to be one of "education." In that, there's always the question of how accurate and balanced the message will be.

The Big Picture

On the whole, the program could be a reasonable effort to reduce P2P infringement and reduce the need for expensive and inefficient litigation. But it clearly has lots of kinks to be worked out and devils to be cleared in the details.

It's important, though, to consider that this agreement still sits within a larger framework of actions and consequences for the individual accused user. The ISP, independently of this system, could still kick a user off for a terms of service violation without any of this process. Content companies can still subpoena ISPs for user information at any time and proceed in a civil suit against the individual. And the DMCA requires ISPs to terminate "repeat infringers." All of these provisions operate in parallel—from existing precedent, for instance, it seems unlikely that a mere Alert makes someone an "infringer" in the eyes of the law. But it would be a mistake to think that the CAS is the only remedy out there. But it does provide the most likely avenue for content and ISPs to take action against file-sharers—litigation is expensive, and, as noted above, ISPs generally don't have a big interest in disconnecting customers when they can reform them instead.

Another big-picture question is how this affects the policy sphere. Certainly, the agreement obviates a lot of efforts to amend the DMCA to require intermediaries to terminate accounts at a mere accusation stage—that's what the new mitigation measures are for. It also would seem to generally dampen the need for new Internet copyright enforcement legislation generally. However, it doesn't seem likely that this announcement will curb content's push to pass related laws like the PROTECT IP Act. This means that the landscape is changing ever-more rapidly. As the CAS changes the relationship between users and ISPs, PROTECT IP threatens to fundamentally change the relationships between websites and payment processors and ad networks, or even the fundamental nature of domain name addressing itself. We can wait and see how the CAS works out for now, but even bigger questions and controversies aren't stopping for this evaluation.